Request for Quotation For the Supply, Installation, and Configuration of Firewall Upgrade Project

Transcription

1 Request for Quotation For the Supply, Installation, and Configuration of Firewall Upgrade Project PASEGURUHAN NG MGA NAGLILINGKOD SA PAMAHALAAN (GOVERNMENT SERVICE INSURANCE SYSTEM) Financial Center, Pasay City

2

3 A. Confidentiality Statement This document, and any attachments thereto, regardless of form or medium, is intended only for use by the addressee(s) and may contain legally privileged and/or confidential, copyrighted, trademarked, patented or otherwise restricted information viewable by the intended recipient only. If you are not the intended recipient of this document (or the person responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this document, and any attachment thereto, is strictly prohibited and violation of this condition may infringe upon copyright, trademark, patent, or other laws protecting proprietary and, or, intellectual property. In no event shall this document be delivered to anyone other than the intended recipient or original sender and violation may be considered a breach of law fully punishable by various domestic and international courts. If you have received this document in error, please respond to the originator of this message or him/her at the address below and permanently delete and/or shred the original and any copies and any electronic form this document, and any attachments thereto and do not disseminate further. B. Submission Details Submission Deadlines All submissions for responding to this request must be submitted on paper and delivered to our office, as stated below, no later than: Friday, July 3, 2015 No later than 5:00pm EDT Submission Delivery Address The delivery address to be used for all submissions is: ALEXANDER A.S EA Information Security Office 6F GSIS Head Office Financial Center, Pasay City 1308 Voice: (632) aasea@gsis.gov.ph Submission Questions and Clarifications You may contact the following person if you have any questions or require clarification on any topics covered in this Request For Proposal: ALEXANDER A.S EA Information Security Office 6F GSIS Head Office Financial Center, Pasay City 1308 Voice: (632) aasea@gsis.gov.ph

4 Electronic Submissions Electronic submissions in response to this Request for Proposal will be accepted as long as they meet the following criteria: Sent via to: Document standards: Must be in PDF format Containing the company seal or the proponent C. Terms of Reference 1. Project Scope The winning bidder is responsible for the following: 1. Supply, installation and configuration of network firewall systems 2. Software and hardware warranty and maintenance from the date of acceptance. 3. Capability building/training 4. Project documentation 5. Technical Support off-site and on-site. 2. Minimum Technical Requirements 2.1. Lot 1 Enterprise Network Firewall General Requirements High availability must support active-active and active-standby Must support an optical and copper port Must have central management console Highly reliable platform with hot-swappable redundant power supply, hard disk drives and fans Able to remotely diagnose, start, stop and manage the appliance and capable of remotely installing an OS image from an ISO file via web interface The appliance must be managed locally with its integrated security management of via unified central management Must be similar to our existing production network firewall and existing warranties must be applied to the proposed solution.

5 Multi-Core appliance-based real-time and embedded based firewall system Bidder must be certified and trained to offer front line technical support directly to end-users and must maintain a back line direct support relationship with manufacturer The prospective bidder should be able to escalate reported problems directly to manufacturer and should be certified and trained to offer front line technical support directly to end-users. Maintains a back line direct support relationship with manufacturer The prospective bidder must be an Appliance Certified Expert support provider and is trained to offer and deliver on-site replacement service for the proposed product The prospective bidder should be an Authorized Partner of the proposed product. Bidder must submit a current and valid certification from the manufacturer Must be in leader quadrant of Gartner Magic Quadrant for Enterprise Network Firewall Management Software Specification: Must have a dedicated application client console for security policy configurations of Firewall, application controls, IPS, IPSec VPN, etc. in order to prevent Cross Site Request Forgery (CSRF) attacks Must have dedicated application client console for reviewing traffic and audit logs. Logs searching must be intuitive or Google-like Must have dedicated security policy tabs for Firewall, application control, IPS, etc. for flexible definitions and focused creation of rules Must have policy based NAT rules for granular creation of source, destination and port translations Must have profile based IPS policy assignments. IPS Signatures must have a rating for severity, confidence level and performance impact and auto/scheduled update feature Must be able to set application control policy actions accept, block, bandwidth limit and time based Must have user awareness interactions (ask and inform) integrated on application control policy to educate them on security risks and company policies Must have a multi logical management capability

6 Must be able to create Global policy and share it across multiple logical management Must have a dedicated dashboard and logging database for each logical management Must have granular administrative controls and role assignments Must allow multiple administrators to work on different logical management simultaneously Internal Firewall Hardware Specification Firewall throughput minimum of 70Gbps, 1518 byte UDP Intrusion Prevention System (IPS) throughput minimum of 7 Gbps, running on Recommended policy, IMIX traffic Concurrent connections minimum of 20 million Connections per second minimum of 170,000, 64 byte HTTP response Interface ports, RJ45, minimum of 6 x 1000Base-T Interface ports, minimum of 6 x 10Gb SFP+ with SR transceivers (LC connector) RAM minimum of 64GB Dual power supply, hot swappable Dual hot swappable Hard disk drive (HDD) minimum size of 500GB, RAID Lights out management (LOM) card Operating system must be vendor proprietary, running on 64bit Must have multicore performance acceleration technologies Software Security Technologies Must have stateful packet inspection Must have address spoofing protection Must support Network Address Translation (NAT) - oneto-one, many-to-one and policy based NAT

7 Must have granular policy definitions per user, group and machine identity Configurable user role identity with combination of either user, group or machine Must have seamless and agent less integration with active directory Must have multiple identification methods but not limited to ff. browser-based authentication w/ captive portal & transparent Kerberos authentication support, AD query and identity client-side app Must have a built-in Intrusion Prevention System (IPS) to prevent application layer attacks, vulnerabilities and exploits Must be Application aware. Current application identification must be minimum of 4,000+ and classify minimum of 300,000+ Web 2.0 widgets inside social networking, instant messaging, VOIP, etc Virtual Firewall Technology (Internal Firewall) Must have a license of at least 10 Virtual Firewalls Must be able to support VLANs Must be able to allocate customized policy per Virtual Firewalls Must have creation templates of Virtual Firewalls Must have Virtual Routers and Virtual Switches Must have per Virtual Firewall resource usage monitoring (CPU, memory, concurrent connections, etc.) Must able to support per Virtual Firewall resource allocation External (Perimeter) Firewall Hardware Specs Firewall throughput minimum of 10Gbps, 1518 byte UDP VPN throughput minimum of 2Gbps, AES IPSec VPN tunnels minimum of 30, IPS throughput minimum of 1Gbps, running on Recommended policy, IMIX traffic

8 Interface port: at least 10 copper ports Concurrent connections minimum of 3 million Connections per second minimum of 70,000, 64 byte HTTP response RAM minimum of 8GB Single power supply, capable of dual hot swappable HDD minimum size of 250GB LOM card Operating system must be vendor proprietary, running on 64bit Must have multicore performance acceleration technologies Software Specs Security Technologies Must have stateful packet inspection Must have address spoofing protection Must support Network Address Translation (NAT) - oneto-one, many-to-one and policy based NAT Must have granular policy definitions per user, group and machine identity Configurable user role identity with combination of either user, group or machine Must have seamless and agent less integration with active directory Must have multiple identification methods but not limited to ff. browser-based authentication w/ captive portal & transparent Kerberos authentication support, AD query and identity client-side app Must have built-in Intrusion Prevention System (IPS) to prevent application layer attacks, vulnerabilities and exploits Must be Application aware. Current application identification must be minimum of 4,000+ and classify minimum of 300,000+ Web 2.0 widgets inside social networking, instant messaging, VOIP, etc.

9 Must have Anti Bot that has detection methods at least but not limited to Reputation (IPs, URLs, DNS), traffic patterns and bot types. Database must be cloud and dynamically updated in real time Must able to support IPSec Virtual Private Networking (VPN) - Site-to-Site VPN and Remote Access Must have a Secure Socket Layer (SSL) VPN for secured remote access of corporate resources. Connectivity must either via Web Based and VPN Client with support for SmartPhones minimum of IOS and Android, license is at least 200 users (concurrent based) Must be able to support SSL inspection with option for SSL low level inspection High Availability (HA) and Networking Technologies Must be able to perform Active-Active or active-standby device high-availability (HA) with session/state synchronization and automatic load distribution. Active- Active setup must only require one Virtual IP-address (VIP) which is shared among HA members for ease of configuration for adjacent hosts and devices Must able to detect device failure when configured as HA Must able to detect link failure when configured as HA Must able to support both IPv4 and IPv Must able to support 802.3ad link aggregation Must have bandwidth controls or Quality-of-Service (QoS) to prioritize and limit network applications and hosts Must have Server Load Balancing to distribute load to multiple servers serving identical services Must have ISP-Redundancy and support for minimum of two ISP Must have policy-based routing support 2.2. Lot 2 Web Application Firewall (WAF) for Disaster Recovery Site Technical Requirements Delivery, installation and configuration to GSIS DR site inclusive of implementation team accommodation and travel expenses

10 Able to prevent but not limited to OWASP Top 10 web application attacks, SQL injection, cross site scripting or cross site request forgery web service security including but not limited to XML/SOAP, XML protocol performance, web services signature Fraud and malware detection Content modification includes but not limited to URL rewriting, custom error message, cookie signing, cookie encryption, or error code handling System should be scalable, able to support multiple network The proposed solution must have perpetual license(s) Must have a DDOS prevention capability Must have web application acceleration Must be able to update signature/policy Authentication: supports LDAP (Active Directory) Automated tracking of web application users Deployment mode: supports transparent bridge (layer 2), reverse proxy and transparent proxy (layer 7) and non-inline sniffer Management: must have a web user interface (http/https) and command line (SSH/console) Stateful firewall Supports data leak prevention for credit card number, PII (personally identifiable information), or pattern matching Integrated graphical reporting Supports SNMP Supports IPV4 and IPV Must be in the leader or challenger quadrant of June 2014 Gartner Magic quadrant for web application firewall ICSA Labs Certified Web Application Firewall 3. Warranty and Maintenance from the date of acceptance Lot 1 Enterprise Network Firewall Software and hardware warranty and maintenance for one(1) year including free subscription of software upgrade and updates

11 3.2. Lot 2 - Web Application Firewall for Disaster Recovery Site Software and hardware warranty and maintenance for three(3) year including free subscription of software upgrade and updates 4. Capability Building 4.1. The vendor shall provide classroom type administrator s training to a minimum of three (3) participants including training hand-outs with hands-on. 5. Technical Support 5.1. Lot 1- Enterprise Network Firewall One (1) year technical support period from the date of acceptance and completion Technical support response time must be at most one (1) hour for phone support and at most two (2) hours for onsite support Off-site support should be available via and internet 5.2. Lot 2 - Web Application Firewall for Disaster Recovery Site Three (3) years technical support period from the date of acceptance and completion Technical support response time must be at most one (1) hour for phone support and at most two (2) hours for onsite support 6. Project Documentation The vendor shall provide project documentation such as but not limited to: Project Plan Systems configuration System procedure and maintenance including shutdown and power up procedure.